Is a government building's key-card access log a public record under Oklahoma's Open Records Act?

Plain-English summary

A news organization asked an Oklahoma agency for two years of key-card access data showing when one specific employee entered the building. The agency refused, citing the Open Records Act exceptions for terrorism-related details and information-technology security.

Representative Waldron asked the AG: is a key-card access log even a public record? And if so, do those exceptions actually apply?

AG Drummond answered:

1. Yes, it's a record. The Open Records Act broadly defines "record" to include "data files created by or used with computer software." A log of key-card swipes plainly fits.
2. Records are open unless an exception applies. Oklahoma policy strongly favors public access. The agency has the burden to show an exception applies.
3. Neither exception cited covers this log. The terrorism exception (§ 24A.28(A)(3)) requires the record to contain "details for deterrence or prevention of or protection from an act or threat of an act of terrorism." A swipe-in log doesn't reveal any anti-terrorism details. The IT-security exception (§ 24A.28(A)(5)) requires the record to "specifically identify" security architecture (system schematics, configurations, scanner placements, etc.). A simple log of who entered and when doesn't.
4. Even if part of the record is exempt, redaction is the answer. If the log contains, say, scanner-location details (potentially exempt) along with names and times (not exempt), the agency must redact the exempt parts and produce the rest under the "reasonably segregable" rule.

The opinion notes other potentially exempt fields, like Social Security numbers (mandatory redaction under § 24A.7(D)): but the same redact-and-produce rule applies.

What this means for you

If you are a journalist or member of the public seeking key-card data

You have a strong basis to demand it. The agency cannot refuse outright; it must redact any specifically exempt fields and produce the rest. If the agency refuses entirely, cite this opinion and Oklahoma Association of Broadcasters v. City of Norman (2016), which puts the burden on the agency to show an exception applies.

If you are a public records officer at a state agency

When you receive a request for key-card data, do not deny on terrorism or IT-security grounds without close analysis. Ask:

• Does the requested log contain specific security architecture details (scanner locations, system identification numbers)? If so, those fields can be redacted.
• Does the log contain Social Security numbers or other mandatorily confidential employee identifiers? Redact.
• Is there an actual, particular threat or investigation that would make disclosure dangerous? That's a closer call but requires real factual support, not just speculation.

Default to producing the data with appropriate redactions, not denying.

If you supervise government employees

Key-card swipe data is now confirmed accessible under the ORA. Employees may be subject to public scrutiny of their building entries during work hours. If that creates HR concerns, raise them through policy channels, but it is not a basis to deny ORA requests.

If you advise public bodies on records compliance

Build training for your records officers around: (1) presumption of openness, (2) exception narrowness, (3) redaction over denial, (4) burden of proof on the agency. The opinion adds a helpful Ohio Supreme Court parallel (State ex rel. Ohio Republican Party v. FitzGerald) that reached the same conclusion under similar Ohio statutes, a useful reference for your legal opinions.

If you are an Oklahoma legislator considering ORA changes

The AG noted that "[i]t is up to the Legislature to balance the policy of openness underlying the ORA with the potential for mischief that may result from that policy." If a particular type of data (like swipe logs of judges, prosecutors, or officials at high risk) needs broader protection, that's a legislative question.

If you are concerned about your own privacy as a government employee

A key-card log is the building owner's record, not your personal record. The ORA treats employee identities as generally non-confidential (subject to specific exceptions). If your concern is around stalking or harassment, talk to your agency's HR or legal counsel about additional protections.

Common questions

Q: Can I get key-card data for any state employee?
A: Generally, yes: for entries to public buildings during the regular course of public employment. Specific personal-identifier fields (SSN, certain ID numbers) are confidential, but the basic "who entered when" data is open.

Q: What if the record contains scanner locations?
A: That detail might fall under the IT-security exception if the placement of scanners reveals security architecture. The agency can redact those fields and provide the rest.

Q: Does this apply to security camera footage?
A: This opinion specifically addresses key-card logs. The Ohio Supreme Court in Welsh-Huggins applied a use-based test to security camera footage; Oklahoma's terrorism exception is content-based, not use-based. Camera footage might still raise terrorism or IT-security concerns under different analysis.

Q: Does it matter what the requester plans to do with the records?
A: No, generally. Oklahoma's ORA, like the federal FOIA, treats records as open regardless of the requester's identity or motive. The terrorism exception in § 24A.28 focuses on the record's content, not its potential misuse.

Q: What is "reasonably segregable"?
A: Section 24A.5(3) requires the agency to redact exempt portions and provide the remainder if doing so doesn't require creating a new record. If splitting out the exempt material would essentially require building a new database, the agency may have grounds to refuse, but mere redaction is normally feasible for log data.

Q: How do I challenge a denial?
A: File suit under the ORA's enforcement provisions. The agency bears the burden of justifying any denial. Expedited proceedings are available.

Q: Are there any public bodies that aren't subject to the ORA?
A: The ORA applies broadly to "public bodies" as defined in § 24A.3. Some entities may have separate exemptions in other statutes (intelligence operations, certain law-enforcement records), but most state and local agencies are covered.

Background and statutory framework

The Open Records Act, 51 O.S. §§ 24A.1–24A.34, was enacted "to ensure and facilitate the public's right of access to and review of government records so they may efficiently and intelligently exercise their inherent political power." The Oklahoma Supreme Court has called this "strong public policy" and held that the ORA must be construed "to allow access unless an exception clearly applies, and the burden is on the public agency seeking to deny access" (Oklahoma Ass'n of Broadcasters v. City of Norman, 2016).

Section 24A.28 contains a list of exceptions for security-related information. The two cited by the agency:

• § 24A.28(A)(3): Terrorism exception: covers "details for deterrence or prevention of or protection from an act or threat of an act of terrorism." Definition of terrorism per 21 O.S. § 1268.1(8) requires kidnapping, violence, or threats of violence with specified intent.
• § 24A.28(A)(5): IT-security exception: covers "information technology" but only if the record specifically identifies design schematics, system configurations, security monitoring placement, system identification numbers, business continuity plans, or investigative information about security penetrations.

The Ohio Supreme Court analyzed an analogous scenario in State ex rel. Ohio Republican Party v. FitzGerald (2015) and concluded that key-card-swipe data does not fit Ohio's "infrastructure records" exemption (which is parallel to Oklahoma's IT-security exemption). The Ohio court did find the data fit the "security records" exemption, but Ohio's exemption is based on actual security use, not record content. Oklahoma's terrorism exemption is content-based, and a log of names and entry times does not contain anti-terrorism details.

The "reasonably segregable" rule in § 24A.5(3) requires partial production with redaction whenever feasible. This matches the federal FOIA's segregability rule.

Citations and references

Statutes:
- 51 O.S. §§ 24A.1–24A.34, Oklahoma Open Records Act
- 51 O.S. § 24A.5(3), Reasonably segregable rule
- 51 O.S. § 24A.7(D), SSN confidentiality
- 51 O.S. § 24A.28: Terrorism and IT-security exceptions

Cases:
- Oklahoma Ass'n of Broadcasters, Inc. v. City of Norman, 2016 OK 119, 390 P.3d 689, agency burden to justify denial
- Citizens Against Taxpayer Abuse v. City of Oklahoma City, 2003 OK 65, 73 P.3d 871, records open unless exception applies
- State ex rel. Ohio Republican Party v. FitzGerald, 2015-Ohio-5056, 47 N.E.3d 124, analogous Ohio analysis

Source

• Landing page: https://oklahoma.gov/oag/opinions/ag-opinions/2025/ag-opinion-2025-09.html
• Original PDF: https://oklahoma.gov/content/dam/ok/en/oag/opinions/ag-opinions/2025/A.G. Opinion 2025-9 2025 OK AG 9.pdf

Original opinion text

GENTNER DRUMMOND
ATTORNEY GENERAL
ATTORNEY GENERAL OPINION
2025-9
The Honorable John Waldron
Oklahoma House of Representatives, District 77
2300 N. Lincoln Boulevard, Room 544
Oklahoma City, OK 73105

July 1, 2025

Dear Representative Waldron:
This office has received your request for an official Attorney General Opinion in which you ask,
in effect, the following:
Is a public body’s data log that shows employees’ key-card access to its
building an open record subject to disclosure under the Oklahoma Open
Records Act, 51 O.S.Supp.2024, §§ 24A.1–24A.34?
I.

SUMMARY
An entrance log, as described in your request, is a record and the Oklahoma Open Records Act
(“ORA”) generally requires a public body to allow public access to its records so the people “may
efficiently and intelligently exercise their inherent political power.” 51 O.S.2021, § 24A.2. And
while the ORA sets forth certain exceptions that permit public bodies to withhold access to
information related to the security of public property, a log of employees entering a building via
key-card access does not, without more, fit any of those exceptions. See 51 O.S.Supp.2023, §
24A.28. Finally, even if a key-card entry log qualifies for an exception to the ORA, the proper
response from the public body would be to redact the exempt material if it is “reasonably
segregable,” and produce the remainder of the log. 51 O.S.Supp.2024 § 24A.5(3); see also 2023
OK AG 1, ¶ 18, 2009 OK AG 33, ¶¶ 4, 31.
II.

BACKGROUND
The ORA was enacted “to ensure and facilitate the public’s right of access to and review of
government records so they may efficiently and intelligently exercise their inherent political
power.” 51 O.S.2021, § 24A.2. Under the ORA, a record must be made available for public

The Honorable John Waldron
Oklahoma House of Representatives, District 77

A.G. Opinion
Page 2

inspection unless it falls within a statutory exception. Citizens Against Taxpayer Abuse, Inc. v. City
of Oklahoma City, 2003 OK 65, ¶ 12, 73 P.3d 871, 875. 1
Here, a news organization has sought records from an agency that reflect one employee’s key-card
entry into the agency’s building for the years 2023 and 2024. The agency denied the request,
asserting that ORA exceptions relating to terrorism and security monitoring permitted the agency
to keep the records confidential. See 51 O.S.Supp.2023, § 24A.28. The agency’s denial does not
describe what information is in these records, nor has this office independently investigated the
issue. However, one could reasonably expect the records to include employee name and/or
identification number, date and time of entry, and perhaps the location of the key-card scanner if
the building has more than one point of entry.
III.
DISCUSSION
Any analysis of an ORA request begins by asking whether the requested information is a “record”
at all. Here, even without knowing the particulars, it is safe to conclude that a log reflecting keycard access to a government building plainly falls within the ORA’s broad definition of record. See
51 O.S.Supp.2024, § 24A.3 (defining “record” to include, e.g., “data files created by or used with
computer software”). As such, the log must “be open to any person” unless otherwise exempt by
virtue of another provision of the ORA. Id. § 24A.5. 2 And “[b]ecause of the strong public policy
allowing public access to governmental records” this office must construe the ORA “to allow
access unless an exception clearly applies, and the burden is on the public agency seeking to deny
access to show a record should not be made available.” Oklahoma Ass’n of Broadcasters., Inc. v.
City of Norman, Norman Police Dep’t, 2016 OK 119, ¶ 15, 390 P.3d 689, 694 (emphasis added)
(citations omitted).
Turning to the agency’s response, the ORA allows public bodies to maintain confidentiality of
information that relates to efforts to investigate and protect public property from acts of terrorism, 3
1

The ORA defines “record” in relevant part as:
[A]ll documents including, but not limited to . . . data files created by or used with computer
software, . . . or other material regardless of physical form or characteristic, created by,
received by, under the authority of, or coming into the custody, control or possession of
public officials, public bodies or their representatives in connection with the transaction of
public business, the expenditure of public funds or the administering of public property.

51 O.S.Supp.2024, § 24A.3.
2
This information need only be made accessible in the form in which the public body maintains it. 1999 OK
AG 55, ¶ 23 (citing 51 O.S.Supp.1991, § 24A.18).

The ORA defines “terrorism” in this context—via reference to the Oklahoma Anti-Terrorism Act—in
relevant part as:
3

[O]ne or more kidnappings or other act of violence, or a series of acts of violence, resulting in
damage to property, personal injury or death, or the threat of such act or acts that appears to be
intended:

The Honorable John Waldron
Oklahoma House of Representatives, District 77

A.G. Opinion
Page 3

as well as other specifically identified government information that the Legislature deemed
sensitive enough to keep from public view. See 51 O.S.Supp.2023, § 24A.28(A). The first
provision cited by the agency allows a public body to keep confidential “[r]ecords including details
for deterrence or prevention of or protection from an act or threat of an act of terrorism.” Id. §
24A.28(A)(3). Assuming the agency’s key-card access log reflects only who enters the building
and when, such information does not reveal any detail about the State’s measures to deter, prevent,
or protect against terrorism, even as the ORA broadly defines that term. See supra footnote 3.
The second provision cited by the agency allows a public body to withhold access to “information
technology…but only if the information specifically identifies:”
a. design or functional schematics that demonstrate the relationship or
connections between devices or systems,
b. system configuration information,
c. security monitoring and response equipment placement and configuration,
d. specific location or placement of systems, components, or devices,
e. system identification numbers, names, or connecting circuits,
f. business continuity and disaster planning, or response plans, or
g. investigative information directly related to security penetrations or denial of
services;
Id. § 24A.28(A)(5) (emphasis added). As with the prior provision, it is unclear how a record that
simply identifies which employees entered the building and when could fall within any of these
categories of information. 4 But even if, for instance, a key-card access log “specifically

a.

to intimidate or coerce a civilian population,

b.

to influence the policy or conduct of a government by intimidation or coercion, or

c.

in retaliation for the policy or conduct of a government by intimidation or coercion.

51 O.S.Supp.2023, § 24A.28(C); 21 O.S.2021, § 1268.1(8).
4
The Ohio Supreme Court interpreted comparable provisions in Ohio’s open records statute in State ex rel.
Ohio Republican Party v. FitzGerald, 2015-Ohio-5056, 145 Ohio St.3d 92, 47 N.E.3d 124. There, a county declined
to provide similar “key-card-swipe data,” claiming the data met both the “security records” and “infrastructure
records” exemptions under Ohio law. Id. at 129. The court found the “infrastructure records” exemption, which is
roughly equivalent to the ORA’s information technology exemption in section 24A.28(A)(5), did not apply because
the key-card access data showed only when county personnel entered or left the building. It did not reveal anything
about the building’s infrastructure or critical systems. Id. at 130. Next, the court found the data met the “security
records” exemption, but (1) that provision applied only to “information directly used for protecting or maintaining the

The Honorable John Waldron
Oklahoma House of Representatives, District 77

A.G. Opinion
Page 4

identifie[d]” the number and location of building entrances that allow entry by key-card, which
ostensibly could be kept confidential under subsections (c), (d), or (e), the ORA does not allow the
wholesale denial of access to the record. Rather, if the confidential information is “reasonably
segregable” from the rest of the record, then the agency must redact the confidential information
and produce the remainder. 51 O.S.Supp.2024, § 24A.5(3); see also 2023 OK AG 1, ¶ 18, 2009
OK AG 33, ¶¶ 4, 31.
Aside from the exceptions specifically mentioned in the agency’s response, it is possible that
employee information included in the entry log is confidential under other provisions of the ORA
or separate state or federal laws. For an ORA example, rather than, or in addition to, identifying
an employee by name, the log could use the employee’s social security or employee identification
number. A public body is required to keep the former confidential, see 51 O.S.Supp.2022, §
24A.7(D), while disclosure of the latter is discretionary and subject to a balancing test to determine
whether it “would constitute a clearly unwarranted invasion of personal privacy.” Oklahoma Pub.
Employees Ass’n v. State ex rel. Oklahoma Office of Pers. Mgmt., 2011 OK 68, ¶ 35, 267 P.3d 838,
850-51, (quoting 51 O.S.Supp.2005, § 24A.7(A)(2)). Regardless, the appropriate path forward
under the ORA is the same: redact the information that is exempt from disclosure and allow access
to the remainder. See 51 O.S.Supp.2024, § 24A.5(3). 5
Finally, this office is mindful that information contained in records like a key-card entry log, while
required by law to be open to the public, could be misused. Unfortunately, that could be said of
many public records. It is up to the Legislature to balance the policy of openness underlying the
ORA with the potential for mischief that may result from that policy. The Legislature has included
a litany of exceptions to the ORA to protect sensitive information and the privacy of individuals
whose information appears in public records. See, e.g., 51 O.S.2021, § 24A.2 (“The privacy
interests of individuals are adequately protected in the specific exceptions to the Oklahoma Open
Records Act or in the statutes which authorize, create or require the records.”). Whether additional
measures are warranted is a policy question for the Legislature to answer. This office can only
interpret the statute as it is currently written. See, e.g., 2017 OK AG 3, ¶ 10, 2014 OK AG 14, ¶ 8.
See also Welsh-Huggins v. Jefferson Cnty. Prosecutor’s Office, 2020-Ohio-5371, 163 Ohio St. 3d
337, 170 N.E.3d 768, 784-85 (interpreting whether security camera footage constituted an exempt
“security record” based on “the public office’s actual use” of the footage, not the potential for the
requester to misuse it).
security of a public office against attack, interference, or sabotage,” and (2) confirmed threats against county personnel
meant release of the data could compromise law enforcement protection efforts. Id. at 129-30 (quoting OHIO REV.
CODE § 149.433(A)(3) (emphasis added)). By contrast, the ORA exception cited here does not turn on how the
information is used. Instead, its focus is the record’s content: “details for deterrence or prevention of or protection
from an act or threat of an act of terrorism[.]” 51 O.S.Supp.2023, § 24A.28(A)(3). Based on the information provided
to this office, there is no reason to believe the agency’s key-card access log includes such details.
5 As noted above, the particular data maintained regarding key-card access is known only to the agency. Thus,

questions of fact may need to be resolved to determine whether one or more ORA exemptions apply to this records
request. In addition, determinations of fact will be necessary to answer whether the exempt information is “reasonably
segregable” such that redactions are feasible without requiring the agency to create an entirely new record simply to
satisfy the request, something that the ORA does not demand of public bodies. See Progressive Independence, Inc. v.
Oklahoma State Dept. of Health, 2007 OK CIV APP 127, ¶¶ 13-16, 174 P.3d 1005, 1009, and footnote 2, supra. This
office cannot resolve these fact questions, as it may only offer its opinion as to “questions of law.” 74 O.S.Supp.2024,
§ 18b(A)(5).

The Honorable John Waldron
Oklahoma House of Representatives, District 77

A.G. Opinion
Page 5

It is, therefore, the official Opinion of the Attorney General that:
A data log that reflects employees’ use of key-cards to access a public body’s
building is an open record subject to disclosure under the Oklahoma Open
Records Act (“ORA”), 51 O.S.Supp.2024, §§ 24A.1–24A.34. If portions of the
record are subject to an exception to the ORA, for instance in title 51, section
24A.7 or 24A.28 of the Oklahoma Statutes, and the exempt information is
“reasonably segregable” from the rest of the record, the public body must
redact the exempt information and provide access to the remainder of the
record. 51 O.S.Supp.2024, § 24A.5(3).

GENTNER DRUMMOND
ATTORNEY GENERAL OF OKLAHOMA

KYLE SHIFFLETT
DEPUTY GENERAL COUNSEL